Setting Up Mandrake Linux 10.1 as a Firewall
As you investigate various Linux Distributions, you will soon notice that some Distributions excel at certain tasks over other Distributions. For example, Novell/Suse provides an excellent authentication/file server with their SLES9 product, Xandros makes for a great desktop for those transitioning from Microsoft Windows, Slackware can't be beat as a terminal client, Debian excels as a general purpose/backup server because of its security team and it's long release cycle, etc.
Mandrake Linux offers one of the best OSS Firewall servers available today. This stems from the fact that Mandrakesoft offers a great product called Multi-Network Firewall (MNF), which was released back in 2002. Mandrakesoft's MNF product offers a gathering of different Open Source Software Projects under a single easy to use web based graphical interface. What is little known, however, is the fact that the functionality of that product has been incorporated into their standard Distribution.
This article will cover installing and configuring Mandrake Linux 10.1 as a Firewall computer. This includes configuring Shorewall for Firewall Services, Named as a caching DNS Server, Squid as a web proxy, Squidguard for web filtering services, along with Snort and Prelude for intrusion detection services. Advanced features, such as Virtual Private Networks and utilizing a Demilitarized Zone are possible using the web interface, but will not be covered here. Note: This article covers setting up Mandrake in a way that is not supported by MandrakeSoft, also there are bugs that I will explain how to work around. If you are not comfortable editing text files on Linux, there are many other firewall distributions available (although IMO this is the best). Proceed at your own risk.
Prerequisites for this install are a Pentium (or higher) based computer with at least 64MB of RAM (mainly for the install), a floppy drive, 2 supported network cards and at least a 1GB hard drive (2GB is recommended if you will use the Squid caching-proxy server). You can also use a single network card and a supported modem if you are going to implement this on a dial-up connection. The firewall computer must also utilize a "supported" video card for the installation routine, as the "text mode" installation will not work properly for our needs.
What is a firewall is used for ?
Well, what a Firewall allows you to do is to route and control network traffic travelling between two different networks. For instance, You will want to implement a firewall wherever you want computers on another network to have limited or no access to your network. The classic example of this is the Internet. You should put a firewall between your local network and the Internet to protect your computers from unnecessary or unwanted traffic coming from the Internet.
Another good use for a firewall is to separate any Wireless Access Points on your network, so all traffic will go through a firewall before entering your network. This actually allows you to offer Internet Access to any one using a wireless connection without compromising the security of your local network. You could also use a firewall to separate a "testing network" from a production network, especially if you need Internet Access for your testing network. Doing this allows you to fully configure and test any servers without harming the current network, this is especially useful when working with Windows Domains.
What makes up a good firewall?
Well first, it must do what it is supposed to do - block unnecessary traffic. Beyond that, what you want to look for is the ease of use/install, the amount of features, etc. These will vary for different sites. Some sites could get by with a simple IP Tables script that simply blocks most incoming traffic and routes all traffic from the internal LAN to the Internet. Other sites need advanced routing techniques. Today there are many standalone Linux distributions that offer Firewall Services. Smoothwall, etc. all offer easy to install/use, and most offer very nice features (some for a hefty price). A nice thing about using Mandrake Linux as a firewall is that not only can you implement nearly any feature for little or no cost, but you also have nearly any Open Source Packages you would want or need readily available. Plus, the entire product is GPL'd so that you can see exactly how the product works at the source level if needed.
Preparing for Installation
For this installation I will be using an FTP install from one of Mandrake's Worldwide mirrors, as the downloadable 3-CD or DVD Images do not have the required packages. Note that even though this product is freely available under the GPL license, please either buy the full Mandrake distribution or join the Mandrake Club to ensure further development. Also, if you want commercial support for this firewall, Mandrake's MNF product is still available at their website.
In order to perform an FTP installation you must first create two diskettes that will be used for the install. Go to http://www.mandrakelinux.com/en/ftp.php3 and select a mirror to download the floppy images from. The diskette images will be located in the
directory, the files you want are network.img and network_drivers.img.
To get these images onto a floppy under Linux, simply type
dd if=network.img of=/dev/fd0 bs=1024 conv=sync
at a command prompt. Under Windows, you must also download a floppy image writer utility, which can be found in the
directory, the file you want is rawritewin.exe. Once Downloaded, simply launch the application and locate the image file you want to write to a floppy.
Starting the Installation
Upon booting the computer with the network.img diskette, the installation routine should start and (hopefully) at least one of your network cards will be detected. Enter all the relevant information, such as IP Address, DNS and Gateway addresses that will allow you to download the software from an FTP server through your Internet connection.
The next step will be to select the installation type and either select an "Official" mirror, or enter the FTP server settings you want to use. If everything is correct, the graphical Installation program will be downloaded from the Internet and setup will continue. Depending on your connection speed, and the speed of the FTP server, this could take a while. If you are planning to "mass produce" these firewalls, it is best to setup a local mirror to speed up installation.
Once the graphical part of the installation starts, just step through the beginning settings of the installation, choosing what suits your machine. You will however want to choose "Higher" as the "Security Setting". Also once you get to package Selection, you must uncheck every "Package Group Selection" item and make sure you select "Individual Package Selection" before proceeding.
After you continue from the package selection screen, the installation program will ask you which minimum installation selection you want, usually it is a good idea not to run X on a firewall, so just select "with basic documentation", or "Truly minimal install" and continue on. When it asks for the packages you want to install, you will want to switch the package list to "flat" instead of group sorted, you do this by clicking on the arrows that look like a refresh button.
Now we will select the packages that will allow Mandrake 10.1 to act as a Firewall Device. First you must find and select "httpd2-naat", this will select this package as well as automatically select various other packages needed. Next you will want to select the "mnf-en" meta package that will select most of the other needed packages. Note: You must select httpd2-naat before you select mnf-en, otherwise it will try to use settings for apache ver 1.x instead of apache ver 2.x, thus the software will not work. The only other mandatory package you must select is naat-frontend-www-doc, although you may want to select other packages, such as "slocate" or "kernel-secure" (recommended) depending on your preferences. Just remember that this is a firewall, and the fewer packages you install the better.
As you continue the install, when it asks for users, ensure that you create the "admin" user, as well as one other user that you will use to login to the firewall. The admin user will be the user that you will use to login to the web configuration page. Also, when you configure services that start on boot, make sure you select any that your computer may need to boot, as well as the httpd2-naat service and possibly ssh if you want to remotely login.
After the first boot
After the install is done and you reboot the computer, you will notice that many services might have failed, even the httpd2-naat service will fail. To get the httpd2-naat service to work, you need to update the SSL certificates. You can do this by issuing the following command, (as root, in the /root directory):
This script will ask you a few questions before it generates the required SSL Certificates, so you can either enter the information, or just hit enter through all the questions and the certificates will be created. Now, copy the certificates to the correct place:
cp server.* /etc/ssl/apache2
Before httpd2-naat will actually run, you must edit one of the apache configuration files, "/etc/httpd/conf.d/51_ssl.httpd2-naat-vhost.naat". Within that file, wherever it says:
"/etc/ssl/apache/server.crt" and "/etc/ssl/apache/server.key"
change it to
"/etc/ssl/apache2/server.crt" and "/etc/ssl/apache2/server.key"
Once you are done editing that file, go ahead and try to restart the httpd2-naat services with:
Now the service should start and you should now be able to remotely log into the web based configuration pages.
Configuration Using the Web Interface
Once installation is complete and you have the httpd2-naat service running, you will want to log into your firewall remotely by using a web browser. The address you will need to use is:
https://IPADDRESS:8443/ - for example https://10.0.0.10:8443/
If you run into a "connection refused" or any other similar error, the problem is that shorewall is enabled, but not yet configured. To fix this simply type the following at the Firewall Computer:
Note: While setting up your firewall, the software will automatically restart Shorewall in some instances. Until Shorewall is properly configured, you may need to run the "shorewall clear" command whenever you find that you cannot connect to the web interface on your firewall.
To begin configuring your firewall, you must enter the system setup section, it will have you hit next to read the current settings. Unfortunately these scripts are a little outdated, so you will probably have an empty slate to start with, just click "apply". Again, if you get a connection refused error or similar, you must execute the "shorewall clear" command at the firewall to reconnect.
Continuing setup, go back into the "System Setup" section, click on modify and re-enter the system and domain name you will use. Then click on "Network Cards" and ensure that all of you network cards are detected and all the basic settings are correct.
Continuing down the line of the System Setup section, the Account section will allow you to change your password, the Alert section will allow you to change the system's log level, and Time will allow you to change the time zone and specify a ntp server to sync the time with. You will want to rerun the Time setup after you configure your Internet settings and Shorewall to ensure you will be able to connect to a time server.
The Internet Access section allows you to configure how your firewall accesses the Internet as well as the settings required to connect. Most firewalls will use the Cable/LAN settings to connect to the Internet, so click on it and enter the required fields for your Internet connection, otherwise select the proper connection method and enter the appropriate settings.
Don't worry to much about the Internet status section, as it rarely works properly. Also on this page, the "Provider Accounts" will eventually allow you to setup commercial ISP settings, but for now it just tells you to use the Cable/Lan settings. The "Schedule" setting allows you to set the time where the firewall will be able to connect to the Internet if you are using a modem to dial into another server. If you want to adjust the schedule for Internet access using a LAN connection, you will only be able to do this if you enable the Squid Proxy service, and utilize Squidguard (accessed through the "Services" section, which will be covered later).
The Firewall Rules section is where you will be able to configure Shorewall to specify what traffic through your firewall will be allowed and denied. The first thing you must do is to setup your zones. By default there are 3 different zones; WAN, LAN and DMZ. These specify what type of connection each Network card will be connected to, most people will only use the WAN and LAN zones. So, you will want to specify the network card connected to the Internet as a "WAN" zone, and the network card connected to your private network as a "LAN" zone.
After setting up your network "zones", you will want to skip down to the default policies section. Default policies allow you to setup the default behavior for information traveling between different zones. Most of the default policies should be properly setup for you. One setting you may want to change, however, is the policy of traffic coming from the LAN zone to the Internet zone. By default, you must specifically allow any connection going through the firewall. This means that if your computers on the LAN interface try to access the Internet through a non-standard port (such as streaming video), the connection will be refused (and you will hear about it from the user). A very quick fix for this problem is to either:
A) set the default policy to allow all connections originating from the LAN Interface
B) specifically allow certain IP addresses full outgoing permissions
If you choose to deny Internet access through all but certain popular ports, be prepared to add lots of rules to the firewall in the first week or two. I usually go ahead and deny most ports, then add whatever ports are needed. If it gets to be quite a few for only one or two users, go ahead and create a rule that says anything coming from their IPs are allowed.
In order for the firewall to be able to "share" it's Internet connection, you must either setup IP Masquerading or setup a Proxy Server (or both). It is extremely easy to setup IP Masquerading with 2 Network cards using the web interface. Again, if you are planning on using the Squid Proxy server, you do not need to enable IP Masquerading for simple web browsing.
For masquerading using 2 network cards, simply click on Masq NAT, then enter the Network Interface you want to masquerade (LAN Interface), then the Network card connected to the Internet. Also, you could enter all the relevant IP Addresses instead of Network Interfaces, but for simple masquerading this is not necessary. From this screen, you can also setup advanced NAT rules, such as utilizing a DMZ, if this is needed.
Creating Firewall Rules
Firewall rules allow you to change the Default Policies (specified earlier) for certain circumstances. Firewall Rules also allow you to "Forward" any packets on a port to a different computer on the LAN, this is useful if you setup a server on your network that you want people to be able to access from the Internet. Also, if someone wants to play online games from behind the firewall, you will need to forward the traffic for that port to their computer's IP Address.
To create a rule that will allow access through a port, click on "add simple rule". This will bring up a dialog that has a drop down box of popular ports and applications. This dialog will allow you to create a simple "Allow" or "Deny" rule based on the port number, what protocol is being used, where the traffic is originating from, and where it is going to (for example coming from the LAN (local network) and going to the WAN (Internet).
Note: Even though the "add simple rule" has a forward check box, DO NOT use it to setup a port forwarding rule. This interface was created for Shorewall version 1.3.7 and Mandrake 10.1 uses Shorewall version 2.0.8, which has changed the way it forwards packets. If you do inadvertently check that box, Shorewall will refuse to start.
In order to create a port forwarding rule, you must go through the "Add Custom Rule" dialog. Simply enter all the relevant information, including the I.P. address of the computer you want the traffic to go to and make sure you select "DNAT" as the action. Then, after applying the Firewall Rules, port forwarding should work as expected.
After you setup all the relevant rules you want, it is now time to start the firewall service and ensure that your machines on the LAN are able to access the Internet through the firewall computer. On any computer that you wish to be able to access the Internet through the Firewall, adjust it's Network Settings so it will use the Firewall's IP address as the default Gateway address.
Note: Before you actually start the firewall service, you must delete the rule for port 20022, that rule is not formatted properly and Shorewall will not start with that rule in place. Also, if you are having difficulty in getting shorewall to start, go to the firewall computer and restart the Shorewall service manually using the command:
and watch the output. If shorewall fails to start it will tell you which rule is causing the problem. To fix it, simply do a "shorewall clear", login to the web config pages and delete any offending rules (recreate them if needed) and restart shorewall.
The other options available through the Firewall Rules section include:
Blacklists - allows you to specify hosts by IP or network that the firewall will simply drop its packets. This is good if you continually get messages in your logs for "questionable" activity coming from certain IPs.
TOS - allows you to define TOS service field in packet headers (advanced use).
Tunnels - allows you to setup IPSEC tunnels for secure communication between hosts (advanced use).
Basic Web Services
So far we have setup a basic firewall that allows you to share the Internet connection, as well as protect your network from Internet traffic. Now we will enhance the Firewall with Services that will allow for easy client setup, improve your Internet speed and filter out undesirable web pages or content that you may wish to remove. Ordinarily, companies charge quite a bit of money to provide these services (especially for content filtering), but here I will discuss how to setup these services using Mandrake Linux and it's web interface.
DHCP and Caching DNS
To automate the configuration of your network clients, you can enable the DHCP server service available on the firewall. DHCP (Dynamic Host Configuration Protocol) allows you to have the firewall automatically send the computers on your LAN the correct IP configuration values during bootup. So, instead of going to each machine and entering a separate IP address, subnet, DNS server and gateway machine, you can have the LAN computers get this information from your firewall. To set this service up, click on DHCP and enter the relevant information, it is pretty self explanatory.
To alleviate excess DNS lookups over your Internet connection, you can setup the firewall to act as a DNS server for your LAN. Doing this will enable the firewall to "cache" all of the nameserver lookups, so if multiple clients try to find the IP address for the same domain name, such as http://www.google.com/, the firewall will send the correct information without needing to access your Internet Service Provider's DNS server.
To enable the Caching DNS service, you simply need to enter the IP address of a forwarding DNS server. This will allow the firewall to query that DNS server if it does not have the information in it's cache. If for some reason the DNS service fails to start or gets mis-configured, simply shut off the service, login to the firewall and move the /etc/named.conf file to something else, such as /etc/named.bak and re-enable the service. The software will re-create a correct /etc/named.conf file to allow the service to work again.
Note: If you run a network utilizing Microsoft Active Directory, Microsoft Exchange Server, or any other newer Microsoft Server, you must utilize Microsoft's DHCP and DNS Services, otherwise you will have severe network slowdowns and communication errors.
Web Proxy and Filtering
One way to really speed up your Internet service is to provide a way to "cache" web pages at the firewall so that if multiple users go to the same sites, most of the images and other information will be retrieved from the firewall instead of the remote Web Server. Also when you implement a proxy or "caching" service, you can also utilize a site/content filter to deny access to certain remote sites, such as pornography or content, such as ads. Many companies produce products that will do this type of filtering, however, these products are quite expensive and IMO are no better than what the OSS community offers with these tools.
Another benefit of a Proxy or "Caching" Server is the ability to only provide Internet Access to people "authenticated" to use the Internet. Mandrake offers the ability to provide a "transparent" proxy, manual proxy or manual "authenticating" proxy using either locally created usernames, an LDAP user database or a SMB (Windows Domain) user database.
The "transparent" settings are just about the same as a "manual" setting, except that it simply adds a "Redirect" to port 3328 rule to your Shorewall settings for traffic coming from the LAN. So, I guess you could even have a "transparent authenticating" proxy if you really need one.
Using the web interface it is quite easy to enable the proxy server, simply click on the Web Proxy settings, then select the type of proxy, either manual, manual authenticating or transparent. The easiest is "transparent" because you will not have to adjust any settings on your clients to be able to use the proxy server, it will simply "just work".
Once you setup and enable the Web Proxy, you will notice that you now have the opportunity to configure both a URL Filter (SquidGuard) and a Content Filter (Dansguardian). When you start to implement each of these services, it is best to do things a step at a time, any misconfiguration could lead to your LAN computers not being able to access the Internet at all.
For those wishing to enable Squidguard here are a few tips. First, make sure you add your local network to the authorized network list (i.e. 192.168.0.0/24). If you plan to block quite a few sites, do not use the web based tools, instead go to a command line and manually add whatever you want to the database through simple text files. An easy way to do this would be to download an updated blacklists file from squidguard.org. Then, once these are downloaded, uncompress them in the root (/root) directory and add the contents of whatever list you want to ban to one the following files:
/usr/share/squidGuard-1.2.0/db/advertising/urls /usr/share/squidGuard-1.2.0/db/advertising/domains /usr/share/squidGuard-1.2.0/db/banneddestination/urls /usr/share/squidGuard-1.2.0/db/banneddestination/domains /usr/share/squidGuard-1.2.0/db/banneddestination/expressions
you can do this with vi by "reading" the file in using the ":r /path/to/filename" command. The advertising directory will replace advertising content with a small dot(so an annoying error box will not show up), while the banneddestination directory will deny all access to the specified sites. Once this is done, you must change these text files to a SquidGuard database by issuing:
squidGuard -C all
One more thing, make sure that squid is both the owner and group of these files by executing the following command:
chown squid.squid /usr/share/squidGuard-1.2.0/db -R
Your Proxy Server will now block these sites (after you restart squid). Unfortunately, there is another bug we must fix, so the "denied page" is not an access denied to the squidguard.cgi file, but instead the nice, somewhat informative blue/green Mandrake denied page.
To fix this you must edit the "/etc/httpd/conf/commonhttpd2-naat.conf" file. Toward the end of the file, it will list the "/var/www-naat/cgi-bin" directory. You must add the following so the web server will have permission to use the SquidGuard cgi-bin directory.
<Directory /var/www-naat/squidGuard> AllowOverride All Options ExecCGI <IfModule mod_access.c> Order allow,deny Allow from all </IfModule> </Directory>
Finally, if you ever (accidentally) go back to the banned destination configuration page through the web interface, you must once again recreate the databases and change the ownership manually. As for configuring Dansguardian, please visit their website at http://www.dansguardian.org. In my experience, SquidGuard seems to be enough of a deterrent that Dansguardian is not needed.
Using the web interface, you can enable both Snort and Prelude Intrusion Detection Systems. These IDS services work quite well, unfortunately, when you have an IDS on a computer directly connected to the Internet you will get quite a few false positives. So, weeding through the logfiles can quickly become a fulltime job. If you do plan on enabling the IDS on the firewall, it is best to also use a "helper" application that will allow you to just view "threats" on your machine, such as logwatch.
Optimally, if you do have a large network, it is best to place an IDS server somewhere on your LAN so you can monitor for any suspicious activity that somehow makes it through your firewall. For more information on how to do this, there are two books available from the Bruce Peren's Open Source series at http://phptr.com/perens. The titles are "Open Source Security Tools" and "Intrusion Detection with Snort".
Testing and Enhancing your Firewall
Testing your Firewall
One of the final things you should do before implementing a firewall solution is to ensure you fully test it to make sure it does what it is supposed to. You should run these tests on both sides of the firewall, the Internet side, as well as the LAN side. In order to properly test your firewall, there are a few applications available. The first application you should use would be a port scanner to ensure your firewall rules are in place. The most popular port scanner, NMAP is available for nearly any Operating System at http://insecure.org/nmap.
Another other tool that you should run on your firewall would be a vulnerability scanner. These tools will scan your server for known vulnerabilities, such as ones "script kiddies" would take advantage of. You can get a good vulnerabilitiy scanner called Nessus for Linux/Unix based machines from http://www.nessus.org.
Enhancing your Firewall
One of the great things about utilizing Mandrake Linux 10.1 for your firewall is the fact that there are so many packages available for it. It is very simple to add additional tools that would be beneficial for you run. A few of them would be:
ntop- Network traffic probe - this package is accessed through a web interface. Once installed you must ensure that the "/usr/share/ntop" directory has correct permissions, then add the following to /etc/sysconfig/ntop - extra_args="-i eth0,eth1 -M" to allow ntop to monitor both network interfaces. Then simply open http://ipaddress:3000 in your browser to utilize the program.
mrtg- Multi Router Traffic Grapher will monitor the traffic load on your firewall, also available through a web interface.
netwatch- terminal based network watching program. Simply type in "netwatch -e eth1" at a prompt to watch all the traffic going through your LAN interface.
All of these packages can be easily installed by running a "urpmi packagename", then after they are configured you will be able to take advantage of the software. There are hundreds other packages you could take advantage of, such as squid-log analyzers, packet sniffers, etc., all of these are only an urpmi away.
Note: It is extremely easy to add additional services to your firewall, such as a Mail, FTP or a Web Server, however, it is strongly discouraged to run anything but the "bare minimum" services on a firewall computer.
A firewall is one of the first things that you must consider when securing a network. There are many products available to handle this job, ranging from "Linux on a floppy" firewalls and low-cost "home firewall" devices, all the way to highly expensive Cisco Pix firewalls. However, if you want full functionality, Mandrake offers an easy to use web interface coupled with all the features you could want in a firewall (including VPN services), plus the expandability that comes with a complete commercial Linux distribution. All for a price that will not break your budget.